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ADAPTIVE INTRUSION DETECTION SYSTEM 



PCT/US03/16119 



This application is based, and claims priority to, provisional application having serial 
number 60/357,957, a filing date of May 22, 2002, and entitled An Adaptive Intrusion 
Detection System for a Computer Network 

BACKGROUND OF THE INVENTION 
Field of the Invention 

The present invention relates to an adaptive intrusion detection system for a computer 
system or network. More particularly, the present invention relates to an adaptive intrusion 
detection system for a computer netwo± that is capable of recognizing both known and new 
types of computer attacks by learning ftom known types of attacks and past attacks against 
computer networks and automatically compensating for changes in the netwo± that impact 
the vuhierability state and vulnerabilities of computers and hosts and the systems and services 
on the network. 
Description of the Prior Art 

Traditionally, securing sensitive systems and their information from being accessed 
by unwanted parties over a public system meant just that - controlling access. Unfortunately, 
the public nature of the Intemet makes networks more easily vulnerable to attack by 
malevolent external entities, such as computer hackers, who create programs that launch 
computer attacks against networks, typically by attempting to circumvent or penetrate the 
network's firewall. Consequently, security is an issue of foremost concern for any 
organization utilizing a publicly accessible network, such as the Intemet to communicate. 
More and more sophisticated methods have been created to address the weaknesses of the 
systems before them. Access control is not enough. In response to the need for an added 
level of control over access to information there has been a focus on monitoring the actual 
content of the data, or payload, flowing into and out of systems. The purpose of this 
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5 monitoring is to detect intruders. Intrusion detection is a method 

of monitoring all access to systems, with the hope of identifying access with a malicious 

intent to exploit vulnerabDities of those systems. These exploits can be used as a vehicle to, 

among other things, gain access to information, or to deny authorized users £com using the 

system's 

10 resources. The intent of gathering this data by security personal is to either learn of 
vuherabilities a system possesses (which can then be used to remediate the situation), or to 
identify the source of the intrusion in hopes to deny fiirther access. The data gathered ftom 
intrusion detection systrans can also be used in an attempt to penalize the offender. 

Unfortunately, existing intrusion detection systems used , as a compliment to access 

15 control, has not sufficiently addressed the problems. Monitoring all access to systems 
consumes valuable time and resources. It also requires a relatively high level of technical 
prowess to determine when an event of note has taken place. Many (if not most) times the 
responsible party reviewing the data misinterprets it or is unable to respond in a timely 
fashion. Clearly the prior art of intrusion detection is a useful tool, but a limited one. 

20 Controlling access to information is not reacting to events after theyhave occurred, 

but determining where systems and services are vuhierable before the access has taken place. 
Armed with this information a solution can then become active in defending those 
resources. 

Network security hardware, software and/or firmware, such as firewalls and intrusion 
25 detectors and the like, are typically enq)loyed to monitor traffic across the computer network 
and to manage security. When an attack occurs, the event is generally logged and the 
network administrator may be alerted by the network security system, although generally 
after the damage to the network has occurred, if the network was vulnerable to the attack. In 
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5 these conventional systems, the netwo± adnimistrator, sitting at a tenninal, attempts to 
manually defend against attacks. 

These conventional security systems have significant drawbacks: a)they can only 
recognize a type of attack that they have been preprogrammed to detect b)they can not adapt 
to attack types using past types of attacks as a guide, c)the number of known (much less 

10 unknown) attack types against networks, numbering in the thousands, is great, while the 
number of attack types that can be successful against a particular network are relatively 
small, usually less than one hundred and, without continuous significant manual adjustments 
to reflect the actual systems, services and vuhierabilities of a particular network, the security 
system cannot distinguish between attack types that can be successful against a particular 

15 network, due to the vidnerabilities of the particular network, firom attack types diat cannot 
succeed against a particular network because the vuhierabilities to those attack types do not 
exist in the particular network, thus making it nearly impossible for a network administrator 
to timely respond to an attack type that can succeed against a particular network, d) the 
security system carmot adjust to changes in the network witiiout a network admmistotor's 

20 continuous review of a particular network's systems, services and related attack 
vulnembilities, and subsequent continuous adjustment of the security system to reflect those 
changes. These systems have the significant disadvantage that if the security system does not 
properly identify an attack that, due to the particular network's vulnerabilities, can be 
successM, and, just as important, distinguish the attack &om the multitude of attacks that 

25 will not be successful, then critical portions of the network can be penetrated or damaged 
before the administrator can recognize that a successful attack has occurred. 

Accordingly, an intrusion detection system is needed that is capable of: a)adapting to 
new types of computer attacks and storing information on known attacks and logging and 
actmg on relevant attacks agamst the network,, b)automatically identifying the vuhierabilities 
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5 that exist in a particular networic's systems and services and updating such information when 
changes occur in the systems and services, c)automatically updating its databases of globally 
(all networks including systems and services available for networks) known systems and 
services vuberabiUties, and the associated attack types that attempt to exploit those 
vuherabilities, d)correlating the actual vulnerabilities that exist in a particular network with 

10 the signature infonnation identifying attack types that attempt to exploit those vuherabilities, 
e) actively looks for only those attack types to which the particular network is vuhierable, 
known as relevant attack types and Qtaking action vvdien relevant attack types are identified, 
alerting network administrators, stopping the attacks or instructing the firewall to stop the 
attacks, or some combination of these, before the attacks can penetrate and damage portions 

15 of the computer network. 

SUMMARY OF THE INVENTION 

The present invention can be embodied in mtrusion detection software that can, 
among other ways, either be installed on a computer hardware device that contains security 
20 gateway software, such as a firewall, or it can be mstalled on a separate computer hardware 
device and operate as an independent detection sensor or integrated with security gateway 
software. 

Advantageously, the software can operate directly on the security gateway. Most 
current devices are in-line, i,e. traffic passes through them either before or after tiie gateway, 
25 or operate as a tap. . hi-line devices generally operate in a redundant capacity providing 
many of the same restrictions on communications that the security gateway akeady performs, 
while ones that operate as a tap on the network wire usuaUy do not mhibittraffic in the same 
feshion. Rather than droppmg, i.e. not responding to further attempts, they break the session 
down, meaning that they communicate with the source and tell it to reset the session. 
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5 Embodiments of the invention include a method wherein the vukierability state, 

including the specific vuhierabilities of one or more computers comprising a particular 
network's systems and services, is determined or a specific vulnerability assessment of one or 
more computers is performed to determine the vuhierability state of the particular network 
and its systems and services and what specific vulnerabilities exist on the computers. This is 
10 accomplished using vuherability information that is automatically updated. Attack 
signatures, specific to globally known vuhierabilities are correlated with the vuhierabiUties 
identified in the particular network and its systems and services. 
DESCRIPTION OF THE DRAWINGS 

The invention is best understood firom the following detailed description when read 
15 with the accoII^>anying drawings. 

Figure 1 depicts the operation of an adaptive intrusion detection system accorxiing to 
an illtistrative embodiment of the invention. 

Figure 2 depicts the operation of an adaptive intrusion detection system accordmg to a 
further illustrative embodiment of the invention. 

20 

DETAILED DESCRIPTION OF THE INVENTION 

The present invention is dkected to an intrusion detection system, which has the 
ability to adapt over tune, and is preferably used in conjunction with, or integrated into, a 
network security system such as a firewall. One of ordmary skill in the art will appreciate 
25 that the present invention may be implemented as any of a number of well-known platforms, 
preferably in a client/server architecture, although not limited thereto. 

The present invention can interact with the security system's firewall, and can provide 
a highly efGective response that can either disconnect (or block) malicious communication 
traffic or connections, or instract a firewall to do so, without dlisrupting legitimate traffic. 
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5 An Internet-based Web interface may also be used to allow access to content such as 

updated information databases, firewall policy configurations, and the intrusion detection 
logs. 

Figure 1 depicts an illustrative embodiment of the operation of an adaptive intrusion 
detection system 100. As shown in Figure 1, the firewall policy information is transferred 

10 from the firewall management server 102 into a vulnerability assessment or determination 
tool 104. A currently updated list of vuhierabilities is then also loaded into vuherability 
assessment or detenmnation tool 104. This list may be stored on firewall management server 
102, on a separate hardware device or stored at a separate location. 

Based upon the mformation contained in the firewall policy and the vuhierabilities 

15 list, if the vuherability assessment tool is used, the vuhierability assessment tool 104 
conducts an attack on the relevant equipment on computer network 106 that had been 
designated as potentially vulnerable to attack. The relevant equipment may be one or more 
computers or hosts. Ite vuhierabilities of this equipment and its resident systems and 
services are then detemnoned and preferably loaded onto an mtrusion detection management 

20 server 108. The intrusion detection management server 108 then preferably correlates these 
vuhierabilities with attack signatures. The intrusion detection management server 108 is then 
preferably mstiucted to only identify these attack signatures. The mtrusion detection 
management server 108, preferably through an intrusion detection sensor 1 12, then mstructs a 
firewall 1 10 to block the specific sessions that have been identified. 

25 In this way, vulnerability assessment tool 104 has enabled intrusion detection 

management server 108 to properly identify exploits to which the equipment m computer 
network 106 is vuln^able, classifymg fliem as "valid attacks.^ All other known attacks are 
then characterized as "mvalid attacks." Because only a small percentage of traffic will be 
improperly identified as matching a known attack pattern, and, of those patterns identified. 
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5 only a small percentage will match valid attacks, the present invention has the significant 

advantage that it can substantially eliminate false positive identifications of attacks. 

VukierabiUty, as used herem, means a flaw in a product that makes it infeasible - 

even vviien using the product properly - to prevent an attacker 6om usurpmg privileges on 

the user's system, regulating its operation, compromising data on it, or assuming ungranted 

10 trust Vutaerability assessment means any method to determine what, and/or if any 
vuhierabilities exist on an application. A vuberability assessment tool means any tool that 
can carry out a vutaerability assessment/determination, and is not limited, for example, to a 
scanning tool. Vutaerability assessments can be performed on applications which mclude 
systems and services residmg on computers and hosts such as m a network, VutaerabiUty 

15 information means any information that relates to characteriztag or identifymg 
vutaerabilities, for example, procedures, rules. 

Figure 2 depicts an mtrusion detection system accordmg to a fiirther illustrative 
embodiment of the mvention. ta step 1, vutaerability mformation, assessment procedures 
and rules are retrieved &om a central computer. Periodically, such as once every twenty-four 

20 hours, the time of which can be detenntaed by the operator, the mtrusion detection system, 
through a secure communication session to a central computer, transfers files to its local 
operating system. These files contam Vutaerability information and Assessment (VA) 
procedures and rules (referred to as signatures) updated with globally known data, and data 
which direcfly relates, or correlates, these dissimilar sets of information. These files can be 

25 continuously updated for the most recent known vutaerability and attack information by an 
operator. 

ta step 2, a security gateway (firewall) is queried. The mtrusion detection system, 
through utilization of an mterface such as an ^plication mterface (API), securely queries a 
repository located withta a security gateway, or a management station, for tatemet Protocol 
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5 (IP) addresses and services which are offered by computers or hosts, protected by the security 
gateway, to the public Internet 

The vuberability of computers or hosts is determined or assessed in Step 3. Among 
other metiiods, a VA of these computer(s) is performed using the information acquired by the 
query of the gateway, and the VA information and procedures previously transferred, to 
10 detennme which computers are vuhierable and what, if any, defects may exist in the systems 
and services which would allow the computer(s) being tested to be compromised by a 
malicious entity. 

Once this list of defects is gathered, a correlation is performed to match the specific 
attack signature(s) with the specific vubierabilities determined in the above steps. These 

15 attack signatures define specific attributes a communication session would need to posses to 
exploit the identified defect 

The intrusion detection system then loads these attack signatures into a pattern 
detection engine that has dhect access to the communication streams between the protected 
computer and the Internet The detection engine examines all communication sessions that 

20 pass through the security gateway. Armed with the attack signatures the detection engine can 
identify specific traffic that is destined for a computer with a specific software defect In 
another embodiment, the intrusion detection system can mstruct the security gateway to only 
forward, to the pattern detection engine, communication destined for a computer or host that 
was, in the prior step, determined to have vdnerabilities, thereby improving overall 

25 efficiency. 

In step 4, damagmg content is identified and communications are mhibited. When the 
intrusion detection system has determined tiiat a specific conmiunication session possesses 
damaging content, the intrusion detection system inhibits, drops or discontinues further 
communication with tiie offending source or, it utilizes a second API or mterface to securely 
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5 instruct the security gateway to inhibit, drop or discontinue further communication with the 

offending source. The length of time for discontinumg fiirther communication with the 

offending source can be pre-detennined and set by an operator. This process then protects 

the computer from communication sessions which would be damaging to it and/or prevents 

unauthorized access to private information or resources. 

10 hi a further embodiment of the invention the information discovered in the 

vuhierability determination or VA is used to determine a computer or host VuhierabiUty 
State. In traditional systems this is not a current consideration and the system has to expend 
excessive processmg time interrogating each set of data contamed in every communication 
session to all protected computers or hosts and the rate of trafiEc passing through the firewall 

1 5 and/or system is degraded This is changed though by considering for which destination the 
traflBc was bound After the firewall checks a packet for flie proper source, destination and 
service, it can make another check before the firewall/gateway or flie intrusion detection 
engine engages m the process-intensive operation of trying to compare its payload agamst 
signatures - the destmation's vuhierability state. Determining the vulnerability state of 

20 computers or host, the software program knows ahead of time that the destination is not 
vuhierable to a connection so the final in-depth signature based tests can be bypassed, and 
therefore, the communication traffic rate would is more efficient By having the detection 
engme of the intrustion detection system or the firewall/gateway only examine 
communications that need to have a signature analysis performed, the software's perfomiance 

25 can be improved 

The invention further includes a computer readable medium and a system comprisuig 
one or more craiputers to cany out the methods described herein. 

While the invention has been described by illustrative embodiments, additional 
advantages and modifications will occur to those skilled in the art. Therefore, the mvention m 
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5 its broader aspects is not limited to specific details shown and described herein. 

Modifications, for example, to the computer hardware, order of method steps and 

configuration of components, may be made without departing firom die spirit and scope of the 

invention. Accordingly, it is intended that the invention not be limited to the specific 

illustrative embodiments, but be mterpreted within the full spirit and scope of the appended 

1 0 claims and their equivalents. 
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5 

Claimed is: 

1. An intrusion detection method comprising: 
retrieving vulnerability information; 

10 identifying attack signatures; 

performing a vulnerability assessment of one or more of the following, 
computers, hosts or combination thereof to determine what vuhierabilities exist on the 
aforementioned; and 

correlating the attack signatures with the eristing vuhierabilities to identify 
15 exploited vulnerabilities. 

2. The intrusion detection method of claun 1 further comprising: 
distinguishmg between traffic to the one or more computers and/or host 

having vulnerabilities and those not having vulnerabilities; and 

only performing a vulnerability assessment on the one or more computers 
20 and/or hosts having vuhierabilities. 

3 . The intrusion detection method of claim 1 further comprising: 
only mcludmg attack signatures that are specific to the identified 

vulnerabilities in the correlation step, 

4. The intrusion detection method of clahn 1 wherein the existence of 
25 vuhierabiUties on the computer(s) is determined by: 

querymg a security gateway for IP addresses and services of the computers; 

and 

using the vuhierability information and the ff addresses and services. 

5. The intmsion detection method of claim 1 further comprising: 
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5 inhibiting or disconnecting one or more designated IP sessions associated with 

attempted vutaerability exploitation. 

6. The intrusion detection method of claim 1 further comprising: 
updating the vuhierability information; and 
repeating the steps of claun 1 . 
1 ^ 7. The intrusion detection method of claim 1 further comprismg: 

determining the computer's vuhierability state, and if the computer is not 
vuhierable, bypassing the signature correlation step. 

8. An intrusion detection system comprising: 

a vuhierability determination tool to identify defects on one or more 
1 5 computers, hosts, or combination thereof 

a correlation engine and database to correlate the defects with attack 
signatures to identify specific attack signatures that relate to the specific vuhierabilities 
identified; 

an intrusion detection sensor to faciUtate identifying and inhibiting or 
20 dropping IP sessions or communication traffic associated with the attempted exploitation of 
the specific vuhierabilities identified. 

9. The mtrusion detection system ofclaim 8 further comprising a 
firewall, wherein the intrusion detection sensor mstructs the firewall to inhibit or drop IP 
sessions or communication traffic associated with the attempted exploitation of the specific 

25 vulnerabilities identified. 

10. The intrusion detection system of claun 9 further comprismg an 
application programming interface to pull vuhierability infonnation into a vuherabiUfy 
detemiination tool; and 
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wherein the application programming interface and firewall are integrated into 
a single component. 

. 10. The intrusion detection system of claim 8 further comprising: 

an application programming interface to pull vulnerability mformation into a 
vulnerability determination tool. 

11. The intrusion detection system of claim 8 wherein a security gateway or 
firewall are integrated mto a single component and or on a single device or computer. 

12. The intrusion detection system of claun 1 further comprising an Internet-based 
Web interjGace, 

13. The intrusion detection system of claim 1 further comprismg a means for 
updating the vukerability determination assessment tool, 

14. A computer readable medium to carry out the method of claim 1 , 

15. A system comprismg one or more computers to carry out the method of claim 

1- 

16. An intrusion detection method comprising: 
retrieving network and system configuration information; 
retrieving vuhierability information and attack signature rules; 

analyzmg potential vuberabilities only for systems and sendees present in the 

network; 

determming the presence of vulnerabiUties or perfomung a vuhierability 
assessment of one or more computers or hosts to determme if the computers or hosts are 
vuhierable and what 3pecific vutaerabilities exist on the computere; 

retrieving vuhierabiUty assessment information; 

correlating the attack signatures with the specific vuberabilities identified; 
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only examining communication traffic bound for vulnerable computers or 
hosts and/or only comparing communication traffic to the attack signatures that relate to the 
specific vuhxerabilities of the computers, hosts or systems and services identified by the 
intrusion detection system; and 

dropping or mhibiting traflBc or instructmg the security gateway to drop or 
inhibit traffic identified by the intrusion detection engme of the system or the firewall as 
matching the attack signatures that relate to the specific vuhierabiUties identified by the 
intrusion detection system. 
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